[dev][designate][dns] Adding private DNS feature
Dear Sir/Madam, We are running OpenStack at scale and now have a requirement to have private DNS and were wondering if the designate team have any appetite for this? If yes, then further discussion is warranted as we would be happy to get the ball rolling on this. Best Regards, Sergey Drozdov Software Engineer The Hut Group
Hi Sergey, Can you tell me a little bit more about what you want to accomplish? Private DNS can mean different things, such as DNS-over-TLS, DNS-over-HTTPS, split views, etc. Michael On Wed, Jul 20, 2022 at 12:51 PM Sergey Drozdov <sergey.drozdov.dev@gmail.com> wrote:
Dear Sir/Madam,
We are running OpenStack at scale and now have a requirement to have private DNS and were wondering if the designate team have any appetite for this? If yes, then further discussion is warranted as we would be happy to get the ball rolling on this.
Best Regards, Sergey Drozdov Software Engineer The Hut Group
We're thinking more of a private view available to individual or shared amongst a defined set of tenants. Loosely something akin to having amphora that serve up internal DNS that can be shared among one or more tenants with a deep integration into nova/neutron. Use case would be for example a enterprise that utilises many projects for various teams but wants to offer a single DNS domain across projects that isn't externally facing. We'll flush out a better use case and proposed architecture in the coming weeks, we're just putting some feelers out to see if this kind of thing was of any interest or use to others. ________________________________ From: Michael Johnson <johnsomor@gmail.com> Sent: 20 July 2022 22:59 To: Sergey Drozdov <sergey.drozdov.dev@gmail.com> Cc: openstack-discuss <openstack-discuss@lists.openstack.org> Subject: Re: [dev][designate][dns] Adding private DNS feature CAUTION: This email originates from outside THG Hi Sergey, Can you tell me a little bit more about what you want to accomplish? Private DNS can mean different things, such as DNS-over-TLS, DNS-over-HTTPS, split views, etc. Michael On Wed, Jul 20, 2022 at 12:51 PM Sergey Drozdov <sergey.drozdov.dev@gmail.com> wrote:
Dear Sir/Madam,
We are running OpenStack at scale and now have a requirement to have private DNS and were wondering if the designate team have any appetite for this? If yes, then further discussion is warranted as we would be happy to get the ball rolling on this.
Best Regards, Sergey Drozdov Software Engineer The Hut Group
Danny Webb Principal OpenStack Engineer The Hut Group<http://www.thehutgroup.com/> Tel: Email: Danny.Webb@thehutgroup.com<mailto:Danny.Webb@thehutgroup.com> For the purposes of this email, the "company" means The Hut Group Limited, a company registered in England and Wales (company number 6539496) whose registered office is at Fifth Floor, Voyager House, Chicago Avenue, Manchester Airport, M90 3DQ and/or any of its respective subsidiaries. Confidentiality Notice This e-mail is confidential and intended for the use of the named recipient only. If you are not the intended recipient please notify us by telephone immediately on +44(0)1606 811888 or return it to us by e-mail. Please then delete it from your system and note that any use, dissemination, forwarding, printing or copying is strictly prohibited. Any views or opinions are solely those of the author and do not necessarily represent those of the company. Encryptions and Viruses Please note that this e-mail and any attachments have not been encrypted. They may therefore be liable to be compromised. Please also note that it is your responsibility to scan this e-mail and any attachments for viruses. We do not, to the extent permitted by law, accept any liability (whether in contract, negligence or otherwise) for any virus infection and/or external compromise of security and/or confidentiality in relation to transmissions sent by e-mail. Monitoring Activity and use of the company's systems is monitored to secure its effective use and operation and for other lawful business purposes. Communications using these systems will also be monitored and may be recorded to secure effective use and operation and for other lawful business purposes. hgvyjuv
Hi Danny, Ok, I think I have a bit better understanding of what you are interested in accomplishing. I see two different "features" in there, both of which have been talked about in the designate community. 1. Shared zones - Setup a zone that can be shared across projects. 2. DNS Views/Split horizon - Zones that return different answers based on ACLs such that an "internal" query may get a private address, but an "external" query may get a public address answer. Shared zones have some proposed patches and are close to ready. It just needs to be updated to account for the new "secure RBAC" community goal[1] and some review/test work. At the PTG we agreed that this patch set should be a priority to finish up, but many of us have had downstream work that has postponed starting work on this. DNS Views has a specification and some patches, but based on community feedback this approach is not going to work (major performance impact and will not work for many deployment scenarios). The patches have been abandoned by the developer. I think we need to restart the specification process on this feature before moving forward with it. [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... So, yes, there is community interest. I look forward to seeing what you are proposing and to see if we can align those needs with the above two features. Michael On Wed, Jul 20, 2022 at 3:46 PM Danny Webb <Danny.Webb@thehutgroup.com> wrote:
We're thinking more of a private view available to individual or shared amongst a defined set of tenants. Loosely something akin to having amphora that serve up internal DNS that can be shared among one or more tenants with a deep integration into nova/neutron. Use case would be for example a enterprise that utilises many projects for various teams but wants to offer a single DNS domain across projects that isn't externally facing. We'll flush out a better use case and proposed architecture in the coming weeks, we're just putting some feelers out to see if this kind of thing was of any interest or use to others. ________________________________ From: Michael Johnson <johnsomor@gmail.com> Sent: 20 July 2022 22:59 To: Sergey Drozdov <sergey.drozdov.dev@gmail.com> Cc: openstack-discuss <openstack-discuss@lists.openstack.org> Subject: Re: [dev][designate][dns] Adding private DNS feature
CAUTION: This email originates from outside THG
Hi Sergey,
Can you tell me a little bit more about what you want to accomplish? Private DNS can mean different things, such as DNS-over-TLS, DNS-over-HTTPS, split views, etc.
Michael
On Wed, Jul 20, 2022 at 12:51 PM Sergey Drozdov <sergey.drozdov.dev@gmail.com> wrote:
Dear Sir/Madam,
We are running OpenStack at scale and now have a requirement to have private DNS and were wondering if the designate team have any appetite for this? If yes, then further discussion is warranted as we would be happy to get the ball rolling on this.
Best Regards, Sergey Drozdov Software Engineer The Hut Group
Danny Webb Principal OpenStack Engineer The Hut Group
Tel: Email: Danny.Webb@thehutgroup.com
For the purposes of this email, the "company" means The Hut Group Limited, a company registered in England and Wales (company number 6539496) whose registered office is at Fifth Floor, Voyager House, Chicago Avenue, Manchester Airport, M90 3DQ and/or any of its respective subsidiaries.
Confidentiality Notice This e-mail is confidential and intended for the use of the named recipient only. If you are not the intended recipient please notify us by telephone immediately on +44(0)1606 811888 or return it to us by e-mail. Please then delete it from your system and note that any use, dissemination, forwarding, printing or copying is strictly prohibited. Any views or opinions are solely those of the author and do not necessarily represent those of the company.
Encryptions and Viruses Please note that this e-mail and any attachments have not been encrypted. They may therefore be liable to be compromised. Please also note that it is your responsibility to scan this e-mail and any attachments for viruses. We do not, to the extent permitted by law, accept any liability (whether in contract, negligence or otherwise) for any virus infection and/or external compromise of security and/or confidentiality in relation to transmissions sent by e-mail.
Monitoring Activity and use of the company's systems is monitored to secure its effective use and operation and for other lawful business purposes. Communications using these systems will also be monitored and may be recorded to secure effective use and operation and for other lawful business purposes.
hgvyjuv
participants (3)
-
Danny Webb
-
Michael Johnson
-
Sergey Drozdov